Bug 43596 - linux: Multiple security issues (ES 3.3)
linux: Multiple security issues (ES 3.3)
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: Kernel
UCS 3.3
Other Linux
: P1 normal (vote)
: UCS 3.3-1-errata
Assigned To: Philipp Hahn
Janek Walkenhorst
https://anonscm.debian.org/cgit/kerne...
:
Depends on: 42099
Blocks:
  Show dependency treegraph
 
Reported: 2017-02-21 13:26 CET by Arvid Requate
Modified: 2017-06-28 16:23 CEST (History)
3 users (show)

See Also:
What kind of report is it?: Security Issue
What type of bug is this?: 7: Crash: Bug causes crash or data loss
Who will be affected by this bug?: 1: Will affect a very few installed domains
How will those affected feel about the bug?: 4: A User would return the product
User Pain: 0.160
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score: 7.8 (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)
requate: Patch_Available+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Arvid Requate univentionstaff 2017-02-21 13:26:13 CET
Upstream Debian Jessie Kernel 3.16.39-1+deb8u1 (unreleased) fixes a couple of issues:

* perf: Fix event->ctx locking (CVE-2016-6786 CVE-2016-6787)
* perf/core: Fix concurrent sys_perf_event_open() vs. 'move_group' race (CVE-2017-6001)
* dccp: fix freeing skb too early for IPV6_RECVPKTINFO (CVE-2017-6074)
* sctp: avoid BUG_ON on sctp_wait_for_sndbuf (CVE-2017-5986)
* perf: Do not double free (dependency of fix for CVE-2017-6001)
* fbdev: color map copying bounds checking (CVE-2016-8405)
* sysctl: Drop reference added by grab_header in proc_sys_readdir (CVE-2016-9191)
* [x86] KVM: fix emulation of "MOV SS, null selector" (CVE-2017-2583)
* [x86] KVM: Introduce segmented_write_std (CVE-2017-2584)
* selinux: fix off-by-one in setprocattr (CVE-2017-2618)
* USB: serial: kl5kusb105: fix line-state error handling (CVE-2017-5549)
* tmpfs: clear S_ISGID when setting posix ACLs (CVE-2017-5551)
* ip6_gre: fix ip6gre_err() invalid reads (CVE-2017-5897)

Upstream Debian Jessie Kernel 3.16.39-1 (released) fixes a couple of issues:

* netlink: Fix dump skb leak/double free (CVE-2016-9806)
* block: fix use-after-free in sys_ioprio_get() (CVE-2016-7911)
* block: fix use-after-free in seq file (CVE-2016-7910)
* [arm64] perf: reject groups spanning multiple HW PMUs (CVE-2015-8955)
* firewire: net: guard against rx buffer overflows (CVE-2016-8633)
* brcmfmac: avoid potential stack overflow in brcmf_cfg80211_start_ap() (CVE-2016-8658)
* vfio/pci: Fix integer overflows, bitmask check (CVE-2016-9083, CVE-2016-9084)
* fs: Give dentry to inode_change_ok() instead of inode
* fs: Avoid premature clearing of capabilities (CVE-2015-1350)
* posix_acl: Clear SGID bit when setting file permissions (CVE-2016-7097)
* sg: Fix double-free when drives detach during SG_IO (CVE-2015-8962)
* perf: Fix race in swevent hash (CVE-2015-8963)
* tty: Prevent ldisc drivers from re-using stale tty fields (CVE-2015-8964)
* usb: gadget: f_fs: Fix use-after-free (CVE-2016-7912)
* HID: core: prevent out-of-bound readings (CVE-2016-7915)
* netfilter: nfnetlink: correctly validate length of batch messages (CVE-2016-7917)
* net: ping: check minimum size on ICMP header length (CVE-2016-8399)
* net: Add __sock_queue_rcv_skb()
* rose,dccp: limit sk_filter trim to payload
* tcp: take care of truncations done by sk_filter() (CVE-2016-8645)
* mpi: Fix NULL ptr dereference in mpi_powm() [ver #3] (CVE-2016-8650)
* packet: fix race condition in packet_set_ring (CVE-2016-8655)
* [x86] Fix potential infoleak in older kernels (CVE-2016-9178)
* sctp: validate chunk len before actually using it (CVE-2016-9555)
* sg_write()/bsg_write() is not fit to be called under KERNEL_DS (CVE-2016-9576, CVE-2016-10088)
* [x86] KVM: drop error recovery in em_jmp_far and em_ret_far (CVE-2016-9756)
* net: avoid signed overflows for SO_{SND|RCV}BUFFORCE (CVE-2016-9793)
* ALSA: pcm : Call kill_fasync() in stream lock (CVE-2016-9794)
Comment 1 Arvid Requate univentionstaff 2017-02-27 11:51:29 CET
Upstream Debian Jessie Kernel 3.16.39-1+deb8u1 has been released with two additional issues fixed:

* KVM leaks page references when emulating a VMON for a nested hypervisor.  This can be used by a privileged user in a guest VM for denial of service or possibly to gain privileges in the host (CVE-2017-2596)

* Denial-of-service flaw in the IPv4 networking code.  This can be triggered by a local or remote attacker if a local UDP or raw socket has the IP_RETOPTS option (CVE-2017-5970)
Comment 2 Philipp Hahn univentionstaff 2017-03-09 14:49:18 CET
repo_admin.py -U -p linux -r 3.3 -s errata3.3-1 -d wheezy-backports
# 3.16.39-1+deb8u1~bpo70+1

Package: linux
Version: 3.16.39-1~bpo70+1~ucs3.3.223.201703091448
Branch: ucs_3.3-0
Scope: errata3.3-1
Comment 3 Philipp Hahn univentionstaff 2017-03-10 17:17:20 CET
r77592 | Bug #43596 linux: Copyright 2017
r77591 | Bug #43596 linux: Update to 3.16.39

Package: univention-kernel-image
Version: 7.100.0-12.123.201703101620
Branch: ucs_3.3-0
Scope: errata3.3-1

r77595 | Bug #43596: linux-3.16.39 for errata 3.3-1

FYI: I didn't check what is already back-ported from <https://cdn.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.16.41> and what not.

QA: dmesg diff
# diff 3.16.0-ucs2*
4c4
< Linux version 3.16.0-ucs216-amd64 (debian-kernel@lists.debian.org) (gcc version 4.7.2 (Debian 4.7.2-5~ucs3.3.12.201602191338) ) #1 SMP Debian 3.16.38-0.1~bpo70+1.216.201611212052 (2016-11-21)
---
> Linux version 3.16.0-ucs223-amd64 (debian-kernel@lists.debian.org) (gcc version 4.7.2 (Debian 4.7.2-5~ucs3.3.12.201602191338) ) #1 SMP Debian 3.16.39-1~bpo70+1~ucs3.3.223.201703091448 (2017-03
302,303c302,306
< simple-framebuffer simple-framebuffer.0: framebuffer at 0xfc000000, 0x160000 bytes, mapped to 0xffffc90000200000
< simple-framebuffer simple-framebuffer.0: format=r8g8b8, mode=800x600x24, linelength=2400
---
> efifb: probing for efifb
> efifb: framebuffer at 0xfc000000, mapped to 0xffffc90000200000, using 1408k, total 1408k
> efifb: mode is 800x600x24, linelength=2400, pages=1
> efifb: scrolling: redraw
> efifb: Truecolor: size=0:8:8:8, shift=0:16:8:0
305c308
< simple-framebuffer simple-framebuffer.0: fb0: simplefb registered!
---
> fb0: EFI VGA frame buffer device

See Bug #42754 comment 1 for the explnation why SYSFB was disabled.
Comment 4 Philipp Hahn univentionstaff 2017-03-13 08:54:05 CET
The next 3.16.42 is scheduled for Wed 2017-03-15
Comment 5 Arvid Requate univentionstaff 2017-03-16 14:20:29 CET
3.16.42 fixes at least:

CVE          : upstream commit
=======================================================
CVE-2017-5669: 95e91b831f87ac8e1f8ed50c14d709089b4e01b8
CVE-2017-6348: 4c03b862b12f980456f9de92db6d508a4999b788
CVE-2017-2596: 06ce521af9558814b8606c0476c54497cf83a653
CVE-2017-6345: 8b74d439e1697110c5e5c600643e823eb1dd0762
CVE-2017-6346: d199fab63c11998a602205f7ee7ff7c05c97164b
CVE-2017-6353: 2dcab598484185dea7ec22219c76dcdd59e3cb90
CVE-2017-6353: dfcb9f4f99f1e9a49e43398a7bfbf56927544af1
CVE-2017-2636: 82f2341c94d270421f383641b7cd670e474db56b

We should pick it up once it's released in jessie-security.
Comment 6 Arvid Requate univentionstaff 2017-03-20 16:21:13 CET
Upstream Debian Jessie Kernel 3.16.39-1+deb8u1 (unreleased) fixes a couple of additional issues:

* arch/x86/kvm/vmx.c in the Linux kernel through 4.9 mismanages the #BP and #OF exceptions, which allows guest OS users to cause a denial of service (guest OS crash) by declining to handle an exception thrown by an L2 guest (CVE-2016-9588)

* Race condition in the sctp_wait_for_sndbuf function in net/sctp/socket.c in the Linux kernel before 4.9.11 allows local users to cause a denial of service (assertion failure and panic) via a multithreaded application that peels off an association in a certain buffer-full state (CVE-2017-5986)

* CVE-2017-2636 CVE-2017-5669 CVE-2017-6214 CVE-2017-6345 CVE-2017-6346 CVE-2017-6348 CVE-2017-6353 (see descriptions below)



From the commit hashes mentioned in the git log of linux-stable branch linux-3.16.y tag v3.16.42 I guess at least these additional issues are fixed there:

* fs/namespace.c in the Linux kernel before 4.9 does not restrict how many mounts may exist in a mount namespace, which allows local users to cause a denial of service (memory consumption and deadlock) via MS_BIND mount system calls, as demonstrated by a loop that triggers exponential growth in the number of mounts (CVE-2016-6213)
* The tipc_msg_build function in net/tipc/msg.c in the Linux kernel through 4.8.11 does not validate the relationship between the minimum fragment length and the maximum packet size, which allows local users to gain privileges or cause a denial of service (heap-based buffer overflow) by leveraging the CAP_NET_ADMIN capability (CVE-2016-8632)
* Race condition in the ion_ioctl function in drivers/staging/android/ion/ion.c in the Linux kernel before 4.6 allows local users to gain privileges or cause a denial of service (use-after-free) by calling ION_IOC_FREE on two CPUs at the same time (CVE-2016-9120)
* arch/x86/kvm/vmx.c in the Linux kernel through 4.9 mismanages the #BP and #OF exceptions, which allows guest OS users to cause a denial of service (guest OS crash) by declining to handle an exception thrown by an L2 guest (CVE-2016-9588)
* Race condition in the L2TPv3 IP Encapsulation feature in the Linux kernel before 4.8.14 allows local users to gain privileges or cause a denial of service (use-after-free) by making multiple bind system calls without properly ascertaining whether a socket has the SOCK_ZAPPED status, related to net/l2tp/l2tp_ip.c and net/l2tp/l2tp_ip6.c (CVE-2016-10200)
* The ext4_fill_super function in fs/ext4/super.c in the Linux kernel through 4.9.8 does not properly validate meta block groups, which allows physically proximate attackers to cause a denial of service (out-of-bounds read and system crash) via a crafted ext4 image (CVE-2016-10208)
* Race condition in drivers/tty/n_hdlc.c in the Linux kernel through 4.10.1 allows local users to gain privileges or cause a denial of service (double free) by setting the HDLC line discipline (CVE-2017-2636)
* The do_shmat function in ipc/shm.c in the Linux kernel through 4.9.12 does not restrict the address calculated by a certain rounding operation, which allows local users to map page zero, and consequently bypass a protection mechanism that exists for the mmap system call, by making crafted shmget and shmat system calls in a privileged context (CVE-2017-5669)
* The tcp_splice_read function in net/ipv4/tcp.c in the Linux kernel before 4.9.11 allows remote attackers to cause a denial of service (infinite loop and soft lockup) via vectors involving a TCP packet with the URG flag (CVE-2017-6214)
* The LLC subsystem in the Linux kernel before 4.9.13 does not ensure that a certain destructor exists in required circumstances, which allows local users to cause a denial of service (BUG_ON) or possibly have unspecified other impact via crafted system calls (CVE-2017-6345)
* Race condition in net/packet/af_packet.c in the Linux kernel before 4.9.13 allows local users to cause a denial of service (use-after-free) or possibly have unspecified other impact via a multithreaded application that makes PACKET_FANOUT setsockopt system calls (CVE-2017-6346)
* The hashbin_delete function in net/irda/irqueue.c in the Linux kernel before 4.9.13 improperly manages lock dropping, which allows local users to cause a denial of service (deadlock) via crafted operations on IrDA devices (CVE-2017-6348)
* net/sctp/socket.c in the Linux kernel through 4.10.1 does not properly restrict association peel-off operations during certain wait states, which allows local users to cause a denial of service (invalid unlock and double free) via a multithreaded application. NOTE: this vulnerability exists because of an incorrect fix for CVE-2017-5986 (CVE-2017-6353)
Comment 7 Philipp Hahn univentionstaff 2017-04-15 10:07:51 CEST
r17459 | Bug #43596 linux: 3.16.43 for errata-3.3.1
r17460 | Bug #43596 linux: 3.16.43 for errata-3.3.1 2

Package: linux
Version: 3.16.39-1~bpo70+1~ucs3.3.225.201704150007
Branch: ucs_3.3-0
Scope: errata3.3-1

r78798 | Bug #43596 linux: Update to 3.16.43

Package: univention-kernel-image
Version: 7.100.0-13.124.201704150020
Branch: ucs_3.3-0
Scope: errata3.3-1

r78799 | Bug #43596 linux: Update to 3.16.43 YAML
Comment 8 Janek Walkenhorst univentionstaff 2017-06-27 17:25:15 CEST
Tests (i386): OK
Advisory: OK